- Squarex says hackers can abuse the full screen API in Safari to trick people into running remote browsers
- Browser-in-the-mid-Midten attacks are good at stealing login credentials
- Apple says protection frames are in place and will not pursue it further
FullScreen API, a functionality of the Apple Safari browser, which allows web developers to present specific elements in full -screen mode, has a vulnerability abused in convincing password theft, experts have warned.
Security researchers Squarex claim to have observed an increase in use in this type of attack that utilizes the browser-in-mid (BITM) technique.
In essence, victims are tricked into interacting with a distance browser that is under the control of the attackers. As the browser is in full screen mode, the UI (UI) and the system elements are hidden, making it somewhat more difficult to see the attack.
Protections in place
As a result, the victims log on to different accounts in a remote browser and think they are doing it on their own device.
They still log in, but the process is performed on the striker’s machine, which allows them to harvest login credentials, approval cookies and more.
“Squarex ‘Research Team has observed several occurrences of the browser’s fullscreen API, which is utilized to tackle this error by displaying a full -screen -bit -window covering the mother’s address beam, as well as a restriction specific to safari browsers that make full -screen attacks, especially convincing,” the researchers said in the reports.
The “restrictions that are specific to Safari browsers” that the mentioned researchers are apparently about messages, as the Apple browser is reportedly not properly warning users when a browser window goes into full screen mode.
The researchers said competing browsers, such as chrome -based, or Firefox, show a warning when full screen is active. While they may still miss the alarm, chances are less compared to safari where there is no warning. Instead, the only signal is a swipe animation that scientists claim can easily miss.
“While the attack is working on all browsers, Bitm Full -screen attacks are especially convincing about Safari browsers due to the lack of clear visual signals as they go to full screen,” Squarex concluded.
The researchers also said they reached out to Apple, who decided not to pursue it – which is apparently the animation signal enough.
Via Bleeping computer
